Headline
CVE-2023-29208: XWIKI-16285: Error when accessing deleted document · xwiki/xwiki-platform@d9e9475
XWiki Commons are technical libraries common to several other top level XWiki projects. Rights added to a document are not taken into account for viewing it once it’s deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked. The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it.
@@ -22,18 +22,23 @@ import java.util.Calendar; import java.util.Date; import java.util.Locale; import java.util.Objects;
import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.xwiki.component.util.DefaultParameterizedType; import org.xwiki.model.reference.DocumentReference; import org.xwiki.security.authorization.Right; import org.xwiki.stability.Unstable; import org.xwiki.user.UserReference; import org.xwiki.user.UserReferenceResolver;
import com.xpn.xwiki.XWikiContext; import com.xpn.xwiki.XWikiException; import com.xpn.xwiki.doc.XWikiDeletedDocument; import com.xpn.xwiki.doc.XWikiDocument; import com.xpn.xwiki.store.XWikiRecycleBinStoreInterface; import com.xpn.xwiki.util.Programming; import com.xpn.xwiki.web.Utils;
/** * Information about a deleted document in the recycle bin. @@ -52,6 +57,8 @@ public class DeletedDocument extends Api */ private final XWikiDeletedDocument deletedDoc;
private UserReferenceResolver<DocumentReference> userReferenceResolver;
/** * Simple constructor, initializes a new API object with the current {@link com.xpn.xwiki.XWikiContext context} and * the specified protected {@link com.xpn.xwiki.doc.XWikiDeletedDocument deleted document} object. @@ -134,22 +141,46 @@ public String getBatchId() return this.deletedDoc.getBatchId(); }
private UserReferenceResolver<DocumentReference> getUserReferenceResolver() { if (this.userReferenceResolver == null) { this.userReferenceResolver = Utils.getComponent( new DefaultParameterizedType(null, UserReferenceResolver.class, DocumentReference.class), “document”); } return this.userReferenceResolver; }
private boolean hasAccess(Right right) { UserReference userReference = getUserReferenceResolver().resolve(this.context.getUserReference()); XWikiRecycleBinStoreInterface recycleBinStore = this.context.getWiki().getRecycleBinStore(); return recycleBinStore.hasAccess(right, userReference, this.deletedDoc); }
/** * Check if the current user has the right to restore the document. * * @return {@code true} if the current user can restore this document, {@code false} otherwise */ public boolean canUndelete() { try { return hasAccessLevel(ADMIN_RIGHT, getFullName()) || hasAccessLevel("undelete", getFullName()) || (Objects.equals(this.context.getUserReference(), getDeleterReference()) && hasAccess(Right.EDIT, getDocumentReference())); } catch (XWikiException ex) { // Public APIs should not throw exceptions LOGGER.warn("Exception while checking if entry [{}] can be restored from the recycle bin", getId(), ex); return false; } return hasAccess(Right.EDIT); }
/** * Check if the current user has the right to view the deleted document. * This is allowed either if the user has admin right on the original reference of the doc, or if they were the * original user who deleted it. * * @return {code true} if the current user is allowed to view the deleted document. * @since 14.10RC1 * @since 14.4.7 * @since 13.10.11 */ @Unstable public boolean canView() { return hasAccess(Right.VIEW); }
/**
Related news
### Impact Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked. ### Patches The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it. ### Workarounds There is no workaround for this vulnerability other than upgrading. ### References * Jira ticket: https://jira.xwiki.org/browse/XWIKI-16285 * Commit: https://github.com/xwiki/xwiki-platform/commit/d9e947559077e947315bf700c5703dfc7dd8a8d7 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])